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SCA 


Security Configuration Assessment 


Automate configuration assessment 


of global IT assets. 


Comprehensive vulnerability management 
requires continuous configuration 
assessment, because hackers constantly 
try to exploit weak configuration settings. 
To help ensure your systems are properly 
hardened, Qualys developed Security 
Configuration Assessment (SCA). 


A Qualys Vulnerability Management (VM) add-on, Qualys SCA 
lets you expand your VM program with automatic assessment 
of IT assets’ configurations. Using the latest Center for Internet 
Security (CIS) Benchmarks, Qualys SCA provides intuitive and 
easy workflows for assessing, monitoring, reporting and 
remediating security-related configuration issues. Built on the 
world’s leading cloud-based security and compliance platform, 
Qualys SCA lets you ensure the consistency, integrity and 
strength of your IT assets’ configurations without the 
deployment cost and complexity of legacy configuration 


management products. 
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CIS Benchmark for Microsoft Windows 7 


Total Passed Total Failed Total Error 
909 (44.38%) 1139 (55.62%) 0 
Approved Exceptions Pending Exceptions Active Hosts 
0 0 8 


Pass/Fail/Error Summary Pass/Fail/Error and Exceptions Summary 


Passed 
Posture: 44.38% 


E Passed 44.38% (909 of 2048) 
W Failed 55.62% (1139 of 2048) 
Error 0.00% (0 of 2048) 


Detailed Results 


— 1. BitLocker Drive Encryption - Operating System Drives 


y (1.1) 7957 Status of the Bitlocker 'MinimumPIN' setting © SERIOUS-3 
A (1.2) 7958 Status of the Bitlocker 'UseAdvancedStartup' setting © SERIOUS- 
Category: Encryption Total: 8 
Sub Category: Guidelines/Procedures (Encryption) Approved Exceptions: 0 


Pending Exceptions: 0 
v Windows 7 


The Bitlocker 'UseAdvancedStartup’ setting determines whether or not will BitLocker require additional authentication each time the computer starts and if there is a Trusted Platform Modu 
requirement enables the configuration of advanced startup options in the BitLocker setup wizard, it should be configured according to the needs of the business. 


Key Features 


Broad coverage 


Qualys SCA is an add-on for Qualys Vulnerability Management that 
lets you assess, report, monitor and remediate security-related 
configuration issues based on the Center for Internet Security (CIS) 
Benchmarks. It supports the latest out-of-the-box CIS benchmark 
releases of operating systems, databases, applications and network 


devices.. 


Ease of use 


SCA’s CIS assessments are provided via a web-based user interface 
and delivered from the Qualys Cloud Platform, enabling centralized 
management with minimal deployment overhead. CIS controls can be 
selected and customized according to an organization’s security 
policies. This eliminates the cost, resource and deployment issues 
associated with traditional software point products for configuration 


management. 


Accountability for controls 


Qualys SCA controls are developed and validated in-house by Qualys 
security experts and certified by CIS. The controls are optimized for 
performance, scalability, and accuracy. Qualys SCA can be used in IT 
environments of any size, from small ones to the largest. 


Reports and dashboards 


SCA users can schedule assessments, automatically create 
downloadable reports of configuration issues, and view dashboards 
for improving their security posture. This brings full circle Qualys 
SCA’s automation of security best practices behind leading 
benchmarks, and lets InfoSec teams take a proactive approach 


towards digital business security. 


Qualys SCA is a cloud 
solution for expanding 

VM programs with 
configuration scanning and 
simplified workflows to 
address configuration 
issues. Its capabilities are 
oowered by the Qualys 
Cloud Platform. 


Benefits 


Broad Coverage 


Leading CIS Benchmark coverage for operating 


= systems, databases, applications and network 
devices 
cxy7g Ease of Use 


Centrally managed assessment with minimal 
deployment overhead and the scalability of the 
Qualys Cloud Platform 


Flexible Deployment 


Agent-based or remote scanning 


4 
4 


Detailed Features 
Augment your Qualys VM cloud service 


Configuration assessment is an essential part of a comprehensive 
vulnerability management program. However, our competitors either 
combine lightweight vulnerability and configuration assessment, or 
offer the functionalities in separate products that aren’t integrated. 
Qualys gives you the best of both worlds. Qualys Vulnerability 
Management (VM) continuously scans and identifies vulnerabilities 
with Six Sigma (99.99966%) accuracy, protecting IT assets on 
premises, in the cloud and mobile endpoints. Qualys SCA, designed to 
work natively with Qualys VM, can be added seamlessly to your 
account with one click. Qualys SCA complements Qualys VM’s 
capabilities for detecting IT asset flaws with capabilities for 
assessment and reporting of configuration settings in 4 easy steps: 


O 


© 
O 


Gartner 


“Both vulnerability assessment and 
security control assessment capabilities 
are critical because many regulations 
prescribe technical control assessments 
(which drives SCA) and also explicitly 


prescribe vulnerability assessments.” 


Anton Chuvakin 


Research Vice President & 
Distinguished Analyst, Gartner 


Extensive Cloud Support 
Built for the cloud and integrated with leading 


cloud service providers 


Powerful Reports and Dashboards 


Automatic assessment scheduling and report 


generation 


Native Integration with other Qualys Apps 


Integration with Qualys Asset Inventory and Qualys 
VM lets you quickly identify targets, manage 
authentication, and find results 


DEFINE: Define: First import assets found using VM scans and 
use the authentication configuration from VM when scanning 
for configuration issues with SCA. Then import the applicable 
CIS policies into your subscription and customize the controls 
per your security standards, all using Qualys SCA’s simple, 
web-based UI. 


ASSESS: Scan your IT assets and map the asset to the right CIS 
policy. 


REPORT: Generate the report showing your control posture 
against the CIS Benchmarks, Qualys-provided control criticality 
and remediation information, and the evidence for failure or 
passing, as well as the references to compliance standards. You 
can activate and deactivate controls as necessary for reporting 
purposes. 


REMEDIATE: Remediate the failed controls, using Qualys- 
provided control criticality and the control remediation 
information. 


Perform configuration 
assessments quickly and 
comprehensively 


Improperly configured IT assets put your 
organization at an increased risk for breaches. 
However, it’s common for organizations to rush 
systems into production with default settings and 
without basic hardening. Addressing these issues is 
key for data protection, regulatory compliance, and 


secure digital transformation initiatives. 


With Qualys SCA, you'll be able to automatically 
and continuously check that your IT assets -- on 
premises, in clouds and on mobile endpoints -- are 
configured securely according to CIS guidelines. 
This will give your organization a solid foundation 
not only for security but also for compliance with 
most regulations like HIPAA and with industry 
mandates like PCI-DSS. Providing the industry’s 
widest coverage for CIS Benchmark technologies, 
Qualys SCA assesses the configuration of elements 
such as: 


Operating systems 
Server software 


Cloud providers 


Network devices 


&2 eae eg Q 


Desktop software 


Leverage the knowledge of 
industry experts 


Qualys SCA operationalizes the non-profit Center 
for Internet Security’s (CIS) Benchmarks by 
supporting them out of the box and automating the 
assessment of critical configuration settings on 
your IT assets against these guidelines. 


The CIS Benchmarks , applicable to over 100 
technologies and platforms, are unbiased and not 
motivated by profit considerations, and created via 
consensus by a community of international 


cybersecurity experts, including experts from 
Qualys. 


Conduct remote scanning and 
auto-discovery of assets 


SCA uses the same data collection technologies as 
Qualys VM, allowing for agent or agentless data 
collection, so that customers can comprehensively 
detect and better safeguard global endpoints, on- 
premises systems and cloud assets against today’s 
evolving cyber threats. Qualys data collection tools 
and processes cover all your bases and include: 


© Physical and virtual appliances that scan IT assets 
located on-premises, in private clouds, or in 
virtualized environments 


© Cloud appliances that remotely scan your 
infrastructure-as-a-service (laaS) and platform-as- 
a-service (PaaS) instances in commercial cloud 
computing platforms 


© Lightweight, all-purpose, self-updating cloud 
agents that reside on the IT assets they 
continuously monitor, with minimal network impact 
and no need for scan windows, credentials, nor 
firewall changes, with no need for the device to be 
on-line during your scheduled scanning windows. 
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Security Configuration Assessment 


Dashboard Policies Scans Reports Assets 


Find the policy that best suits your needs. The SCA poli 
to identify and remediate the security vulnerabilities for a wide range of 


Sharpen and simplify 
configuration assessments 


With its benchmark-based guidance, simplified 
workflows for scanning and reporting, and cloud- 
based deployment, Qualys SCA provides a variety 
of advantages over competing products, especially 
legacy point solutions installed on premises: 


© Lower cost of ownership because as a cloud 
service there’s no software to install or maintain. 


© Improved protection of hybrid IT environments 
through the highly-scalable, extensible and 
centrally-managed Qualys Cloud Platform. 


© Consistent maintenance of a standard configuration 
throughout the enterprise via baseline 
configuration standards that can be applied prior 
to asset deployment. 


© Increased compliance and business effectiveness 
and efficiency, as well as stronger security posture. 


© Protection of the infrastructure and operations 
underpinning your organization’s key digital 
transformation efforts. 


Users 


Modified By Modified Evaluated Generate 


icies are certified by the CIS for the CIS benchmarks, which provide secure configuration guidelines 
tech i pre-configured as per the 


jes. The out of the box policies have controls, 


recommendations from the CIS. Click on one of the required CIS policies below, and then click Next to import it. 


Technologies Policies (129) 


o Ax6.x 


C] Amazon Linux AMI 
[C] Apache HTTP Server 2.2.x 


[C] Debian GNU/Linux 7.x 


[C] Debian GNU/Linux 8.x (æ) 


[1 Docker 1.x 


FAK 7.x (æ) CIS - Apple OS X 10.11, v1.0.0 [Scored and Not Scored, Level 1] 
@ version1.0 06/09/2016 View Description | View Policy 


[| Apache HTTP Server 2.4.x (a) CIS - Apple OS X 10.11, v1.0.0 [Scored and Not Scored, Level 1 and Level 2] 
a Version 1.0 06/09/2016 View Description | View Policy 


(æ) CIS Benchmark for IBM DB2 10.x for Microsoft Windows, v.1.0.0 [Scored, Level 1 and Level 2] 
@ Version 1.0 06/09/2016 View Description | View Policy 


CIS Benchmark for IBM DB2 10.x for Unix and Linux, v.1.0.0 [Scored, Level 1 and Level 2] 
@ Version 1.0 06/09/2016 View Description | View Policy 


Powered by the Qualys Cloud Platform 
- the revolutionary architecture that powers 
Qualys’ IT security and compliance cloud apps 


Sensors that provide continous visibility Respond to threats immediately 
On-premises, at endpoints or in the cloud, the Qualys Cloud With Qualys’ Cloud Agent technology, there’s no need to 
Platform sensors are always on, giving you continuous 2-second schedule scan windows or manage credentials for scanning. 
visibility of all your IT assets. Remotely deployable, centrally And Qualys Continuous Monitoring service lets you proactively 
managed and self-updating, the sensors come as physical or address potential threats whenever new vulnerabilities appear, 
virtual appliances, or lightweight agents. with real-time alerts to notify you immediately. 

All data analyzed in real time See the results in one place, 


anytime, anywhere 


Qualys Cloud Platform provides an end-to-end solution, allowing 


pM Ale isle cols cfahele a E a oahu e Qualys Cloud Platform is accessible directly in the browser, no 


ao e e e ie OE EMELINE. 9 plugins necessary. With an intuitive, single-pane-of-glass user 


ie y eea E a CE yaa @ oe ey ea ot e leis interface for all its apps, it lets you customize dashboards, drill down 


in a scalable, state-of-the-art backend, and provisioning additional into details, and generate reports for teammates and auditors. 


cloud apps is as easy as checking a box. 


Cloud Platform Apps 


Qualys apps are fully integrated and natively share the data they collect for real-time 
analysis and correlation. Provisioning another app is as easy as checking a box. 


ASSET MANAGEMENT IT SECURITY WEB APP SECURITY COMPLIANCE MONITORING 


Asset Inventory Vulnerability Management Web App Scanning Policy Compliance 


CMDB Sync Threat Protection Web App Firewall Pci) PCI Compliance 


Continuous Monitoring File Integrity Monitoring 


Indication of Compromise Security Configuration 


Assessment 
Container Security 
Cloud Security Assessment 


Security Assessment 
Questionnaire 


Qualys is easy to implement, easy to use, fully scalable - 
and require NO infrastructure or software to maintain. 
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